Troubleshooting SafeTP

sftpd (unix server) Installation

The install script, sc/install.pl, should get everything in order automatically. However, you may want to verify that. These are the things to check:

sftpd's files: The SafeTP executables, and the keys used by sftpd during normal operation, should be placed somewhere that sftpd can find them. Something like /home/safetp is typical:

      root@leetch:/home/safetp# ls -ld . * */*
      drwxr-xr-x   6 safetp   daemon       1024 Nov 13 02:33 ./
      drwx--x--x   2 safetp   daemon       1024 Oct 14 15:21 DSA/
      -rw-------   1 safetp   daemon        444 Oct 14 15:21 DSA/private.key
      -rw-r--r--   1 safetp   daemon        510 Oct 14 15:21 DSA/public.key
      -rw-r--r--   1 safetp   daemon        981 Nov 13 02:33 DSA/public.key.txt
      drwx------   2 safetp   daemon       1024 Oct 14 15:21 ElGamal/
      -rw-------   1 safetp   daemon          1 Oct 14 15:21 ElGamal/KeyStrength
      -rw-------   1 safetp   daemon        401 Oct 14 15:21 ElGamal/private.key
      -rw-------   1 safetp   daemon        269 Oct 14 15:21 ElGamal/public.key
      -rw-------   1 safetp   daemon         11 Oct 14 15:21 ElGamal/timestamp
      -rwxr-xr-x   1 safetp   daemon      84436 Nov 13 02:33 addent*
      drwx------   2 safetp   daemon       1024 Nov 11 04:25 kerb/
      -rwsr-xr-x   1 safetp   daemon     607910 Nov 11 04:25 kerb/kftpd*
      drwx------   3 safetp   daemon       1024 Oct 14 15:21 keys/
      drwx------   2 safetp   daemon       1024 Oct 14 15:21 keys/127.0.0.1/
      -rwxr-xr-x   1 safetp   daemon     202504 Nov 13 02:33 makekeys*
      -rw-------   1 safetp   daemon        448 Jan 12 20:43 randomSeed
      -rwxr-xr-x   1 safetp   daemon     359528 Nov 13 02:33 sftpc*
      -rwxr-xr-x   1 safetp   daemon     288164 Nov 13 02:33 sftpd*
      -rwxr-xr-x   1 safetp   daemon     124016 Nov 13 02:33 viewkey*

This listing has some things you may not have. kerb/ is for Kerberos compatibility. keys/127.0.0.1 and ElGamal/ were created during installation as a test, and can be removed.

The permissions for most files should be as shown above. Note particularly DSA/private.key and randomSeed, which should not be readable by anyone but sftpd (which runs as the safetp user typically).

inetd config: inetd is configured by two files.

/etc/services provides the mapping from port numbers to service names. You should have lines like:
```
      ftp             21/tcp          safetp
      raw-ftp         351/tcp
      
```
The lines shown map port 21 to 'safetp' and port 351 to 'raw-ftp'. See services(5). Note that some sites are configured to use NIS instead of /etc/services; see ypserv(8).

/etc/inetd.conf provides the mapping from service names to the commands that run them. You should have lines like:
```
      raw-ftp stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -l -i -a -t0
      safetp  stream  tcp     nowait  safetp  /home/safetp/sftpd sftpd -f351 -s -y/home/safetp
      
```
The lines shown run wu-ftpd on port 351, and sftpd on port 21. In my setup, wu-ftpd is run behind TCP wrappers (tcpd); sftpd can be also. See inetd(8), ftpd(8), tcpd(8), and sftpd(8).

Note: After you make changes to either /etc/services or /etc/inetd.conf, you must send the HUP (hangup) signal to inetd to cause it to re-read its configuration files. See kill(1).

If the install script has failed, you may want to consult install.txt (included in the distribution) for manual install instructions.

Testing the ports setup

If things aren't working, the first step is to verify that each of the relevant ports is being "answered" by the right program. For example:

  scott@leetch:~% telnet localhost 21
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220-leetch.pasture.cow FTP server ready.
  220-*** This server can accept secure (encrypted) connections. ***
  220 *** See http://safetp.cs.berkeley.edu for info. ***
  ^]
  telnet> close
  Connection closed.

From this fragment we can see that sftpd is listening to port 21, and is successfully connecting to ftpd (because the 220 message includes the info about wu-ftpd).

Possible problems at this stage include:

Connection refused
This would mean that nobody is listening to port 21. inetd is probably not configured right. Check the system logs for diagnostics from inetd. Did you HUP it?
Connection closed (immediately after connect)
This is caused by inetd accepting the connection, but failing to execute sftpd. Possible causes include an incorrect path in inetd.conf or a problem finding needed shared libraries. Try running sftpd from the command-line (see below). Or, if you're running sftpd behind TCP wrappers, tcpd may have disallowed the connection; see the system logs and tcpd(8).
510 connect: Connection refused (code 111)
This means that sftpd started ok, but failed to connect to ftpd. Check the system logs, and/or try to connect to ftpd directly (see below).
510 Assertion failed: FTP server immediately closed connection; it's probably disabled, file sftpd.cpp line 573
sftpd was able to connect to ftpd, but then ftpd immediately closed the connection. This could be because inetd failed to execute ftpd. Or, if you're running it behind TCP wrappers, because tcpd decided not to allow the connection. The system logs should have more detailed information.

We can also investigate ftpd itself:

  scott@leetch:~% telnet localhost 351
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 leetch.pasture.cow FTP server ready.
  ^]
  telnet> close
  Connection closed.

Again, possibilities include connection-refused or connection-closed. A problem at this stage is not related to sftpd. Check the documentation for ftpd and inetd, and tcpd if you're using it. Until you can manually telnet to ftpd and get a 220 response, sftpd won't be able to, either.

Try it with sftpc

sftpc(1) is the unix command-line SafeTP client. Try using it to connect to sftpd:

  scott@leetch:~% sftpc localhost
  sftpc version 1.40
  Connected to localhost (127.0.0.1, port 21).
  220-leetch.pasture.cow FTP server ready.
  220-*** This server can accept secure (encrypted) connections. ***
  220 *** See http://safetp.cs.berkeley.edu for info. ***
  Starting negotiation...
  Public key for 127.0.0.1: SafeTP at leetch.cs.berkeley.edu [10/14/1999]
  235 Security data exchange complete.
  211 DIGT=uh9Iqi/mtOZUSbnuMqBlRGVdA+s=
  Negotiation completed.
  200 The PBSZ is ok.
  200 Data channel protection set to 'private'.

  User name (Enter = scott)?

If this works, log in, and issue the "test" command. This will test many features of sftpc and sftpd, including transfers under all combinations of data encryption on/off and passive/active mode. If it works locally, but you're having problems connecting from a remote site, build sftpc there and try it from the remote site.

Ideas for experimentation:

Try the -d switch. It will cause sftpc to print much more detailed diagnostics.
If only one of passive or active mode works, there may be a problem with a firewall blocking connections. See Notes on Firewalls.
If it only works with data encryption turned on, ftpd may be unhappy making 3rd-party connections. See the description of the -3 switch in sftpd(8).
Other command-line switches are documented on the sftpc(1) man page.

Try running sftpd from the command line

From the command line you can interactively try things much more easily than with inetd, and see diagnostic messages on the console. However, sftpd will only handle a single connection when run this way, so it's only useful for debugging.

Be sure to tell sftpd where to look for its keys, by supplying the -y switch. You can create keys using the 'makekeys' standalone program. See sftpd(8) for more info on command-line options.

Example command line:

  scott@leetch:~/sftpd% ./sftpd -p3333 -f351 -y/tmp/scott

Ideas for experimentation:

sftpd doesn't have to run as a privileged user if you have it listen to a nonprivileged port (>1024).
If you want to try it with sftpd listening to port 21, comment-out the conflicting line in inetd.conf (if any) first, and HUP inetd.
The -d1 switch will yield additional diagnostic output. -d2 gets even more.

Trouble with the Windows client

The Windows client has its own documentation. However, one key fact is that the Windows client only secures connections to specific ports -- currently limited to ports 21, 353 and 2123. If you're troubleshooting problems with the client, be sure to run sftpd such that it listens to one of these ports.

General tips

Check the system logs. All the daemons (inetd, ftpd, and sftpd) should be reporting failures to the logs (see syslogd(8)).

If all else fails

If you can't get it working, email me! Send me:

Info about your platform: OS, processor, etc.
Your inetd configuration; excerpts are fine.
A description of the problem, including any error messages. Cut+paste from a console window is ideal.
Output from sftpd -d2 (for this to work you have to run sftpd from a shell prompt, not inetd).

Output from sftpc -d -a, if you can reproduce the problem with sftpc. Example of sftpd/sftpc test (using tcsh/csh), assuming the regular ftpd daemon is now on port 351:

      safetp@myhost% sftpd -d2 -p3333 -f351 -y/home/safetp >& sftpd.log &

      anybody@anyhost% sftpc -d -a myhost 3333
      [then capture the screen output using cut & paste]

The debug log from the Windows client, if the problem only shows up there. Logging is turned off by default in the Windows client; see its documentation for info on turning it on.